From: Richard Haines Date: Mon, 19 Mar 2018 17:33:36 +0000 (+0000) Subject: selinux: Update SELinux SCTP documentation X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=d3cc2cd7c8d7adfb43075036878e319d5893280d;p=openwrt%2Fstaging%2Fblogic.git selinux: Update SELinux SCTP documentation Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect how the association permission is validated. Reported-by: Dominick Grift Signed-off-by: Richard Haines Signed-off-by: Paul Moore --- diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst index 2f66bf30658a..a332cb1c5334 100644 --- a/Documentation/security/SELinux-sctp.rst +++ b/Documentation/security/SELinux-sctp.rst @@ -116,11 +116,12 @@ statement as shown in the following example:: SCTP Peer Labeling =================== An SCTP socket will only have one peer label assigned to it. This will be -assigned during the establishment of the first association. Once the peer -label has been assigned, any new associations will have the ``association`` -permission validated by checking the socket peer sid against the received -packets peer sid to determine whether the association should be allowed or -denied. +assigned during the establishment of the first association. Any further +associations on this socket will have their packet peer label compared to +the sockets peer label, and only if they are different will the +``association`` permission be validated. This is validated by checking the +socket peer sid against the received packets peer sid to determine whether +the association should be allowed or denied. NOTES: 1) If peer labeling is not enabled, then the peer context will always be